<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:b="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!--<http auto-config="true" lowercase-comparisons="false">-->
        <!--<intercept-url pattern="/images/**" filters="none"/>-->
        <!--<intercept-url pattern="/styles/**" filters="none"/>-->
        <!--<intercept-url pattern="/scripts/**" filters="none"/>-->
        <!--<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>-->
        <!--<intercept-url pattern="/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>-->
        <!--<intercept-url pattern="/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>-->
        <!--<intercept-url pattern="/**/*.action*" access="ROLE_ADMIN,ROLE_USER"/>-->
        <!--<form-login login-page="/login" authentication-failure-url="/login?error=true" login-processing-url="/j_security_check"/>-->
        <!--<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>-->
    <!--</http>-->

    <!--<authentication-manager>-->
        <!--<authentication-provider user-service-ref="userDao">-->
            <!--<password-encoder ref="passwordEncoder"/>-->
        <!--</authentication-provider>-->
    <!--</authentication-manager>-->

    <!--&lt;!&ndash; Override the default password-encoder (SHA) by uncommenting the following and changing the class &ndash;&gt;-->
    <!--&lt;!&ndash; <bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/> &ndash;&gt;-->

    <!--<global-method-security>-->
        <!--<protect-pointcut expression="execution(* *..service.UserManager.getUsers(..))" access="ROLE_ADMIN"/>-->
        <!--<protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN"/>-->
    <!--</global-method-security>-->


    <http auto-config="true" access-denied-page="/accessDenied.jsp" lowercase-comparisons="false"
          entry-point-ref="authenticationProcessingFilterEntryPoint">
        <intercept-url pattern="/images/**" filters="none"/>
        <intercept-url pattern="/styles/**" filters="none"/>
        <intercept-url pattern="/scripts/**" filters="none"/>
        <intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
        <intercept-url pattern="/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
        <intercept-url pattern="/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
        <intercept-url pattern="/**/*.html*" access="ROLE_ADMIN,ROLE_USER"/>

        <intercept-url pattern="/Kaptcha*" filters="none" />

           <form-login login-page="/login.html"
                       authentication-failure-url="/login.html?error=true"
                      authentication-success-handler-ref="mySavedRequestAwareAuthenticationSuccessHandler"
                    login-processing-url="/j_security_check" />

      <!-- "记住我"功能，采用持久化策略（将用户的登录信息存放在数据库表中） -->

        <remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
      <!-- 检测失效的sessionId,超时时定位到另外一个URL -->
      <!--<session-management    invalid-session-url="/sessionTimeOut.jsp" />-->

      <!-- 增加一个自定义的filter，放在FILTER_SECURITY_INTERCEPTOR之前，
      实现用户、角色、权限、资源的数据库管理。  -->
        <!--验证码过滤器-->
        <custom-filter ref="loginFilter" before="FORM_LOGIN_FILTER"/>
        <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR"/>

     </http>
     <!-- 一个自定义的filter，必须包含authenticationManager,
  accessDecisionManager,securityMetadataSource三个属性。  -->
 <b:bean id="myFilter"
  class="com.ogilvy.audi.security.MyFilterSecurityInterceptor">
  <b:property name="authenticationManager"
   ref="authenticationManager"/>
  <b:property name="accessDecisionManager"
   ref="myAccessDecisionManager"/>
  <b:property name="securityMetadataSource"
   ref="mySecurityMetadataSource"/>
 </b:bean>

<b:bean id="mySavedRequestAwareAuthenticationSuccessHandler" class="com.ogilvy.audi.security.MySavedRequestAwareAuthenticationSuccessHandler"/>
<b:bean id="myExceptionMappingAuthenticationFailureHandler" class="com.ogilvy.audi.security.MyExceptionMappingAuthenticationFailureHandler"/>

    <b:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.AuthenticationProcessingFilterEntryPoint">
    <b:property name="loginFormUrl" value="/login.html"/>
    </b:bean>


 <!-- 注意能够为authentication-manager 设置alias别名  -->
 <authentication-manager alias="authenticationManager">
  <authentication-provider user-service-ref="userDao">
   <password-encoder ref="passwordEncoder">
    <!--<salt-source user-property="username" />-->
   </password-encoder>
  </authentication-provider>
 </authentication-manager>


 <!-- 访问决策器，决定某个用户具有的角色，是否有足够的权限去访问某个资源。 -->
 <b:bean id="myAccessDecisionManager"
  class="com.ogilvy.audi.security.MyAccessDecisionManager">
 </b:bean>


 <!-- 资源源数据定义，将所有的资源和权限对应关系建立起来，即定义某一资源可以被哪些角色去访问。 -->
 <b:bean id="mySecurityMetadataSource"
  class="com.ogilvy.audi.security.MyInvocationSecurityMetadataSourceService">
 </b:bean>

<b:bean id="loginFilter"
        class="com.ogilvy.audi.security.MyUsernamePasswordAuthenticationFilter">
    <b:property name="authenticationFailureUrl" value="/login.html?error=true&amp;validateCode=true"/>
        <!--&lt;!&ndash; 处理登录的action &ndash;&gt;  -->
        <!--<b:property name="filterProcessesUrl" value="/j_spring_security_check"></b:property>  -->
                <!--&lt;!&ndash; 验证成功后的处理&ndash;&gt;  -->
        <!--<b:property name="authenticationSuccessHandler" ref="loginLogAuthenticationSuccessHandler"></b:property>  -->
                <!--&lt;!&ndash; 验证失败后的处理&ndash;&gt;  -->
        <!--<b:property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"></b:property>  -->
        <!--<b:property name="authenticationManager" ref="myAuthenticationManager"></b:property>  -->
        <!--&lt;!&ndash; 注入DAO为了查询相应的用户 &ndash;&gt;  -->
        <!--<b:property name="usersDao" ref="usersDao"></b:property>  -->
    </b:bean>

</b:beans>
